K. Hoercher wrote:
On 9/20/06, Florian Prester <Florian.Prester@rrze.uni-erlangen.de> wrote:
Also I have some questions about eap at all. How should it work correctly. because I see up to 10 Authentication-Requests until the client is authenticated correctly. For example the client wants to do EAP-PEAP (Windows-client), but the radius says EAP-NAK: rlm_eap: Request found, released from the list rlm_eap: EAP NAK rlm_eap: EAP-NAK asked for EAP-Type/peap rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 231 modcall: leaving group authenticate (returns handled) for request 231 Sending Access-Challenge ... Finished request 231
What does it mean? Can I tune the process?
My guess would be, that your default_eap_type in eap.conf is not set to peap. So your supplicant (XP) is sending the NAK (not the server, it just logs that it got the NAK) to get the server to use peap. Depending on your needs you could change it. That's a normal part of EAP. As is the sending back and forth of Access-Requests and Access-Challenges to negotiate the details inherent to EAP.
OK - thanks. So I have to take a deeper look at the eap-process. But, ...
Log: rad_recv: Access-Request packet from host 131.188.4.190:20000, id=35, length=202 NAS-Port-Id = "2059/1" Calling-Station-Id = "00-15-00-01-C0-D1" Called-Station-Id = "00-0B-0E-15-3D-80:FAU-STAFF" Service-Type = Framed-User User-Name = "unrz06" State = 0x... EAP-Message = 0x... NAS-Port-Type = Wireless-802.11 NAS-Identifier = "Trapeze" NAS-IP-Address = 131.188.4.190 Message-Authenticator = 0x...
The username looks like a machine name for .uni-erlangen.de. Do you intend to use machine authentication? If so, what does a succesful request look like? Note, that it seems to only find matching DEFAULT entries, so peap would be impossible, as no User-Password is known to freeradius. Otherwise, you should check your XP setup to use the intended username/password credentials combo.
... no, that is not a maschine name or something. This a subsequent request, after a password has been submitted. looking a t EAP-Message, Authenticator.. and so on. But looking back at the foll request: ad_recv: Access-Request packet from host 131.188.4.190:20000, id=35, length=202 NAS-Port-Id = "2059/1" Calling-Station-Id = "00-15-00-01-C0-D1" Called-Station-Id = "00-0B-0E-15-3D-80:FAU-STAFF" Service-Type = Framed-User User-Name = "unrz06" State = 0x... EAP-Message = 0x... NAS-Port-Type = Wireless-802.11 NAS-Identifier = "Trapeze" NAS-IP-Address = 131.188.4.190 Message-Authenticator = 0x... Processing the authorize section of radiusd.conf modcall: entering group authorize for request 228 modcall[authorize]: module "preprocess" returns ok for request 228 modcall[authorize]: module "chap" returns noop for request 228 modcall[authorize]: module "mschap" returns noop for request 228 rlm_eap: EAP packet type response id 14 length 53 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 228 users: Matched entry DEFAULT at line 12 modcall[authorize]: module "files" returns ok for request 228 rlm_ldap: - authorize modcall[authorize]: module "ldap" returns ok for request 228 modcall[authorize]: module "perl" returns ok for request 228 modcall: leaving group authorize (returns updated) for request 228 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 228 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A (other): SSL negotiation finished successfully rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0) SSL Connection Established rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0) eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns reject for request 228 modcall: leaving group authenticate (returns reject) for request 228 auth: Failed to validate the user. Login incorrect: [unrz06] (from client QRA-MX port 0 cli 00-15-00-01-C0-D1) Sending Access-Reject of id 35 to 131.188.4.190 port 20000 EAP-Message = 0x040e0004 Message-Authenticator = 0x00000000000000000000000000000000 Finished request 228 I do not get the reason why this request is rejected! Why does the modules "eap" reject a request? How can I debug eap?
regards K. Hoercher Thanks and best regards
F.Prester -- Dipl. Inf. Florian Prester Network Administration Regionales RechenZentrum Erlangen Universitaet Erlangen-Nuernberg Martensstr. 1 91052 Erlangen Germany Tel.: +499131 8527813